SlideShare a Scribd company logo

Binghamton Bank Risk Analysis.pptx

Z
Zachary Alexander, CPA

Binghamton Bank's applications and infrastructure face various risks that could impact operations and compliance. Key risks include: lack of authorization controls and encryption on applications storing sensitive customer data; infrequent testing of disaster recovery plans; reliance on external vendors for critical functions without backup protocols; and outdated servers. Recommendations focus on strengthening authentication, implementing monitoring systems, encrypting data, and more frequent testing to improve security and disaster preparedness.

1 of 36
Download to read offline
Infrastructure Division Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division Zachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter Binghamton Bank Risk Analysis April 24, 2015 Aegis 1
Agenda Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 2 Aegis Analysis Overview of Binghamton Bank
Overview of Binghamton Bank Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 3 Aegis Analysis Overview of Binghamton Bank
April 24, 2015 Aegis 4 • Binghamton Bank Corporation is the largest bank in the Northeastern region • Headquarters in Boston, MA • Specializes in commercial, retail and investment banking • Binghamton Bank has $50 million in assets • New CEO Conner Wayne • “Building a Sanctuary for your Future” • Strives to be the number one bank to safely protect ones investments and interests Background of Binghamton Bank
April 24, 2015 Aegis 5 • Requests to enhance their applications and infrastructure to create a company that better serves the customer • Software upgrade issues • Stopped payments for 2 hours • Large monetary loss • Web application issue • Customers could not access their accounts • Log-in troubles • Reliability and reputation issues Binghamton Bank Issues
Executive Summary Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 6 Aegis Analysis Overview of Binghamton Bank
Executive Summary April 24, 2015 Aegis 7 1. Online Banking Security 2. FIN 3. BODPS 4. ATM Disaster Prevention Risks •High traffic •Unsecure networks •Low authorization •Allows remote access •Backup system •Test contingency plan •Windows 2000 •Test employees •No authorization •Employee training •Confidential information •Breaches •7 critical vendors •Backup generator •Vendor transitions •Unreliable vendors Applicable to Bank •Reputation •Vulnerable information •Database breach •Pivotal Operations •Recovery time •Prevent breaches •Easy to hack database •GLBA violation •Critical functions •National news •Loss of operations •Recovery time Recommenda- tions •2 factor authentication •Monitoring •Safeguards •Encryption •Test contingency plan annually •Update severs •Cold Sites •Monthly fake scams •High authentication •Compliance •Training workshops •Backup generator •Transition vendor •Review vendors annually
April 24, 2015 Aegis 8 ATM Vendor Dependency Risks: Reliant on external vendors for ATM operations Lacking emergency protocol Outcomes: Vendor reliability awareness Less failtime Executive Summary - Write here Online Banking Remote Security Risks: Compromised information and reputation due to weak security Outcomes: Prevention information disclosure DR/Server Security Risks: No data encryption Lack of backup plan tests Out of date servers Outcomes: Reputation in safe customer information Smoother emergency procedureBODPS Risks: •High traffic •Unsecure networks •Remote Access Recommendations NorthGO Risks: •High traffic •Unsecure networks •Remote Access Recommendations FIN Risks: •High traffic •Unsecure networks •Remote Access Recommendations Application down, infrastructure up (ill fix format)
Executive Summary April 24, 2015 Aegis 9 1. Online Banking Security Risks: •High traffic •Unsecure networks •Remote Access Applicable to bank: •Reputation •Vulnerable critical information •Database breach Recommendations: •Two factor authentication •Monitoring •Remote access safeguards •Encryption 2. FIN Risks: •Backup System •Contingency plan tests •Windows 2000 •Test employees Applicable to bank: •Pivotal operations •Recovery time •Prevent breaches Recommendations: •Test contingency plan annually •Update servers •Cold sites •Monthly employee scam tests 3. BODPS Risks: •No authorization •Employee training •Confidential information •Breaches Applicable to bank: •Easy to hack database •GLBA violation •Critical functions Recommendations: •High authentication •Compliance •Training workshops for employees 4. ATM Disaster Prevention Risks: •7 critical vendors •No backup generator •Vendor transitions •Unreliable vendors Applicable to bank: •National news •Loss of operations •Recovery time •Financial loss Recommendations: •Backup generator •Transition vendor •Review vendors annually
Aegis Analysis Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 10 Aegis Analysis Overview of Binghamton Bank
April 24, 2015 Aegis 11 • Tool Designed a custom tool that takes user answers and calculates inherent risk, control strength and residual risk • Criteria • Operational Risks associated with functions inside of the company and risks that affect the internal day-to-day activates • Financial Risks associated with business transactions including both financial dealings and non-monetary trading or sharing • Technological Risks resulting from failures or errors by IT devices or systems put in place by the company • External Any associated risk due to an uncontrollable occurrence outside of the company Aegis Analysis
Agenda Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 12 Aegis Analysis Overview of Binghamton Bank
1. ATM Vendor Dependency April 24, 2015 Aegis 13 Inherent Risk Operational ● Process 2,000-5,000 transactions per hour External ● Negative media will reach national news ● ATM’s utilize 7 or more critical vendors Control Strength External ● ATM’s do not have backup generators ● ATM’s do not have cold sites in place ● Cannot transition to another vendor ● Bank takes no precautions to ensure vendors are reliable ATMS Operational Financial Technological External Inherent 53 40 78 67 Control 28 10 25 9 Residual 38 36 58 60
1. ATM Vendor Dependency April 24, 2015 Aegis 14 Recommendations On average ATM’s process 180% more transactions per hour than online banking Reputational Loss -ATM failures would be known nationally -Dependence on processes outside of Binghamton Bank’s Control Vendor Reliability: Have a transitional backup vendor for each critical vendor Increase Awareness of Vendor Reliability: -Perform quarterly financial reviews -Background checks on vendors (SOC-II) -Annual Debrief with Vendor Management create/practice vendor contingency plan Failure Preventions: Implement an Automatic Transfer Switch (ATS) to reduce fail time
2. Online Banking Remote Access Security April 24, 2015 Aegis 15 ATMS Operational Financial Technological External Inherent 48 41 66 49 Control 30 10 24 20 Residual 34 37 50 50 Inherent Risk Technological ● Less than 25% of online banking operations can be performed with failed servers ● More than 60% of sensitive information would be compromised in the event of a breach to the database ● Allows remote access for online banking may lead to potential risks Financial ● Binghamton Bank would face greater than $200,000 in fines in the event of non-compliance with regulations Control Strength Technological ● No multi-tier authentication in order to gain access to online banking remotely ● Weak prevention to unauthorized access to network ● No encryption of sensitive information
April 24, 2015 Aegis 16 2. Online Banking Remote Access April 24, 2015 Aegis 16 Reasons why the Risk is a Priority Recommendations Reputational Loss ● Decrease in accountability to customers if servers were to fail ● Loss of sensitive information will result in non-compliance with GLBA Monetary Loss ● Each violation of GLBA can be fined up to $100,000 Customer Safety ● Hackers could disclose or utilize customer information - Include SSL certificates to encrypt data for all subdomains - Require virtual machines for employee remote access - Enable remote wipe for company devices - Require 2 step authentication for employee remote access - Enable Virtual Private Network Prevent unauthorized access to network -Only allow pre-authorized MAC addresses -Implement a monitoring and logging system -Seperate networks by critical information
3. DR/Servers Security April 24, 2015 Aegis 17 Inherent Risk Technological: ● 10% - 30% critical infrastructures are not up to date ● Less than 25% can perform with failed servers ● More than 60% of sensitive information would be compromised if databases were breached ● Allowing remote access to company systems may lead to potential risks Financial: ● Noncompliance can result to greater than $200,000 in fines Control Strength Technological: ● Tests contingency plan every 2-5 years ● Tests for employees for online threats every year or more ● Servers do not encrypt sensitive information Financial: ● IT employees are not well versed with financial goals and objectives ATMS Operational Financial Technological External Inherent 59 43 67 44 Control 25 15 20 18 Residual 44 36 53 36
3. DR/Servers Security April 24, 2015 Aegis 18 Reasons why the Risk is a Priority Recommendations Monetary Loss ● GLBA fines if sensitive information is compromised ● Excess and/or unnecessary activities are performed by the IT department Reputational and Reliability Loss ● Weak ability to adapt to unanticipated events COBIT governance framework - familiarize IT employees with business standards and goals Secured Socket Layer (SSL) certificates establishes a link between the server and a client 256 bit AES encryption Test employees for phishing schemes monthly Test contingency plan annually Upgrade to windows 2012 R2 standard edition -Costly 1,000 servers - $800,000 2,500 servers - $2.2 million 5,000 servers - $4.4 million 7,000 servers - $6.1 million
Infrastructure Summary April 24, 2015 Aegis 19 1. ATM Vendor Dependency Risks: •Reliant on many critical vendors to operate ATM’s •Lacking emergency plan for failed vendor •Alternate Power source unavailable Recommendations: •Increase vendor reliability awareness •Implement Automatic Transfer Switch •Transitional Vendors 2. Online Banking Remote Access Security Risks: •Weak preventions for network access •Sensitive information not encrypted •Weak authentication for access Recommendations: •SSL certificates •Virtual machines •Remote wipe •Prevent unauthorized network access 3. DR/Servers Security Risks: •No encryption of sensitive information •Contingency plan not tested frequently •Servers not up to date Recommendations: •Upgrade servers to Windows 2012 R2 •Utilize COBIT •Enable SSL certificates •Encrypt sensitive information •Test contingency plans
Detailed Analysis Application Risks April 24, 2015 Aegis 20
BODPS: Current State April 24, 2015 Aegis 21 ● Operational: ○ Extremely critical for business functions ○ Employees are not trained to properly use and secure this application ○ Bank is unsure how secure online networks are for customer access ● Technology ○ Integrates with many critical applications and contains sensitive customer data ○ No levels of authorization and no scheduling of upgrades and maintenance ● Financial ○ No mechanism in place to inform customers that their assets are secure Operational Financial Technological External Inherent 84 15 88 75 Control 38 44 20 41 Residual 52.08 15 70.4 44.25
BODPS: Risk & Consequences April 24, 2015 Aegis 22 Overall Application Risk: Poor Security. This can lead to a loss of sensitive client data. Additionally, BODPS is responsible for sending data to iReport to create financial documents. Poor security can lead to altering of this data and publishing financial statements that are not accurate. (This can lead to a violation of SOX) ● Risk: No authorization levels ● Consequence: Anyone can access this data. Nothing that authorizes the user as being a trustworthy person to access the information ● Risk: Employees are not properly trained ● Consequence: Employees can divulge information and leave workstations logged in. Not knowing security measures can lead to them sharing confidential information ● Risk: No mechanism in place to inform customers that their data is secure ● Consequence: Customers will not know if they data has been compromised or shared ● Risk: Poor security can lead to altering of this data and publishing financial statements that are not accurate and poor security can lead to a leak of customer data ● Consequence: Lead to a violation of SOX and GLBA
BODPS: Recommendations April 24, 2015 Aegis 23 ● Implement two level authorization for employees with the implementation of security tokens as an initial step to address poor security. Employees have to enter one password that they create, followed by a security token that constantly changes the password ● Implement training courses so employees are aware of how to properly and legally use application. Employees should be aware of social engineering threats and not divulge information while also logging off after use ● Company should properly allocate their resources and funds to spend on training programs and frequent updates that are capable of providing the most up to date security measures
NorthGo: Current State April 24, 2015 Aegis 24 Operational Financial Technological External Inherent 84 42 56 15 Control 56 11 20 40 Residual 37 37 45 15 • Operational: • Backup systems exist but do not demonstrate full functionality • Internal monitoring system needs to be updated • Online networks that customers use are not secure • Technology • No authorization levels for application that stores sensitive client information • Rarely upgraded to be able to operate under heavy user traffic • No alternative operation methods if integrated application fails • Financial • Investing in online application is crucial to maintaining and expanding customer base • No funds allocated towards application recovery
NorthGo: Risk & Consequences April 24, 2015 Aegis 25 Overall Application Risk: Application Overload. This application experiences heavy traffic from both employees and customers, and with nothing in place to mitigate overload, NorthGo is prone to overloading and failing. Failure of NorthGo can make it prone to security threats and lead loss of customer confidence ● Risk: No system in place to mitigate application overload ● Consequence: Failure of system due to increased traffic can lead to another NorthGo crash which will lead to monetary loss and loss of customer faith. Having system down still leaves it open to security threats where customers information can be stolen or compromises. This consequence also leads to a GLBA violation ● Risk: NorthGo does not have a system backup ● Consequence: If another NorthGo crash occurs, Binghamton Bank will earn the reputation of providing poor applications. Customers will not have confidence and there will be a loss of clientele
NorthGo: Recommendations April 24, 2015 Aegis 26 ● Put a system in place to mitigate application overload ● Allocate more funds to application upgrades, maintenance and failure recovery ● Implement internal monitoring system to gauge traffic and alert employees if system is close to overloading ● Increase traffic capacity ● Two factor authorization for employees and customers ○ Smart tokens and password for employees ○ Password and automatic sending of email with temporary access code ● Password and txt update to customers on current state of their data
FIN: Current State April 24, 2015 Aegis 27 ● Operational: ○ Binghamton Bank does not have a fully functioning backup system in place ○ Unsure if this application’s functions can be completed manually if it were to fail ○ Unsure if the bank has an internal monitoring system to alert employees of an application failure ○ There are no compliance checks to make sure that new standards and regulations are being met ○ Binghamton Bank runs into noncompliance issues >20 times ● External: ○ System audits are only conducted yearly ○ Vendors never provide system upgrades Operational Financial Technological External Inherent 100 100 100 15 Control 69 87 89 9 Residual 31 13 11 14
FIN: Risk & Consequences April 24, 2015 Aegis 28 Overall Application Risk: FIN Failure. FIN is the central financial application of Binghamton Bank and it integrates and monitors all financial transactions in one location. Not having a fully functioning backup system for an application whose functions can not be completed manually is a risk • Risk: No proper backup system in place to mitigate application failure • Consequence: Application’s functions cannot be completed and crucial bank functions will be halted. FIN failure is a security threat because a system crash can open it up to hacking threats • Risk: Cannot be completed manually if the application were to fail • Consequence: Operations cannot continue to run effectively because the bank would have to record all transactions on paper slowing down operations to a point where everything is backlogged • Risk: Short recovery time objective • Consequence: Bank will lose money quickly if application’s functions are not restored in
FIN: Recommendations April 24, 2015 Aegis 29 ● Implement a more robust data backup and backup security measures in case of application failure while nvesting in a more fully functional system that can take over and perform FINs functions if there is an emergency •Set up a failure recovery plan to help takeover for FIN •Internal monitoring system to tell when FIN is going to fail •Train employees to properly use FIN’s backup systems
Application Summary April 24, 2015 Aegis 30 Application Name Current State of Application Risk to Binghamton Bank Recommendation BODPS Has poor security strength and poorly trained employees to use application securely Employees can divulge client information and information can be accessed and altered easily, leading to violations Implement security tokens and implement application and regulation training program for employees NorthGo Current backup system is not functioning at full capacity. No Authorization levels System overload. Cannot function efficiently and properly. Implement internal monitoring system. Reallocation of funds. FIN Does not have a fully functioning backup system. Unsure if application’s functions can be completed manually. FIN failure. No proper backup system in place. Cannot be completed manually. Short recovery time objective. Implement a more robust backup system. Set up a failure recovery plan. Internal monitoring system to tell when FIN is going to fail.
& Recommendations Analysis Summary April 24, 2015 Aegis 31
Overall Summary April 24, 2015 Aegis 32 • We want to explain what controls the bank has currently in place that are good • What controls Binghamton Bank is missing • Our recommendations by priority
Thank you Questions? April 24, 2015 Aegis 33
Infrastructure Division: Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division: Alexis Cai, Derek Liu, Gary Liku, Joshua Neustadter, Sharon Han & Zachary Alexander Tool Demonstration April 24, 2015 Aegis 34
Video Demonstration April 24, 2015 Aegis 35
Appendix April 24, 2015 Aegis 36 - Regulations - Financial Calculations -

Recommended

Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank Analysis
Alex Cai
 
Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis
Sharon Han
 
Internal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPAInternal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPA
Ron Steinkamp
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
 
Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRC
Graeme Hein
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
Dr Vijay Pithadia Director
 

Recommended

Binghamton Bank Analysis
Binghamton Bank AnalysisBinghamton Bank Analysis
Binghamton Bank Analysis
Alex Cai
 
Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis Binghamton Bank Risk Analysis
Binghamton Bank Risk Analysis
Sharon Han
 
Internal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPAInternal Controls and Effective Report Writing - sent to MSCPA
Internal Controls and Effective Report Writing - sent to MSCPA
Ron Steinkamp
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
 
Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRC
Graeme Hein
 
Bankauditin it env
Bankauditin it envBankauditin it env
Bankauditin it env
Dr Vijay Pithadia Director
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total Care
TymorTech
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
Donald E. Hester
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
Sébastien Roques
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
EnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
Julie Michlinski
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
EnclaveSecurity
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
Resilient Systems
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
SBWebinars
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
CAS
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Management
whbrown5
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
Goutama Bachtiar
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
salman butt
 

More Related Content

What's hot

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
Lisa Niles
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total Care
TymorTech
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
Donald E. Hester
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
Sébastien Roques
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
EnclaveSecurity
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
Julie Michlinski
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
EnclaveSecurity
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
Jayesh Daga
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
Resilient Systems
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
SBWebinars
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
CAS
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Management
whbrown5
 

What's hot (20)

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Tymor Total Care
Tymor Total CareTymor Total Care
Tymor Total Care
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA event
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
Perfect Profilers Final Presentation
Perfect Profilers Final PresentationPerfect Profilers Final Presentation
Perfect Profilers Final Presentation
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
3 steps to gain control of cloud security
3 steps to gain control of cloud security 3 steps to gain control of cloud security
3 steps to gain control of cloud security
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Management
 

Similar to Binghamton Bank Risk Analysis.pptx

Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
Goutama Bachtiar
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
salman butt
 
Final 5_4(10-37PM)
Final 5_4(10-37PM)Final 5_4(10-37PM)
Final 5_4(10-37PM)
Tyler Schroeder
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bank
CGI Suomi
 
The Case for a Turnkey Approach to Fraud Operations
The Case for a Turnkey Approach to Fraud OperationsThe Case for a Turnkey Approach to Fraud Operations
The Case for a Turnkey Approach to Fraud Operations
Laurent Pacalin
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
dotco
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
ControlCase
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
Ahmadi Madi
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
임채호 박사님
 
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses... Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Internetwork Engineering (IE)
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
Outpost24
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
Scalar Decisions
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
Accenture Operations
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
Support for Improvement in Governance and Management SIGMA
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 

Similar to Binghamton Bank Risk Analysis.pptx (20)

Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Final 5_4(10-37PM)
Final 5_4(10-37PM)Final 5_4(10-37PM)
Final 5_4(10-37PM)
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bank
 
The Case for a Turnkey Approach to Fraud Operations
The Case for a Turnkey Approach to Fraud OperationsThe Case for a Turnkey Approach to Fraud Operations
The Case for a Turnkey Approach to Fraud Operations
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
 
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses... Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
Lessons Learned from the Field: CyberSecurity that Works - Jason Smith Ses...
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent Outpost24 Webinar - To agent or not to agent
Outpost24 Webinar - To agent or not to agent
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 

Binghamton Bank Risk Analysis.pptx

  • 1. Infrastructure Division Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division Zachary Alexander, Alexis Cai, Sharon Han, Gary Liku, Derek Liu & Joshua Neustadter Binghamton Bank Risk Analysis April 24, 2015 Aegis 1
  • 2. Agenda Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 2 Aegis Analysis Overview of Binghamton Bank
  • 3. Overview of Binghamton Bank Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 3 Aegis Analysis Overview of Binghamton Bank
  • 4. April 24, 2015 Aegis 4 • Binghamton Bank Corporation is the largest bank in the Northeastern region • Headquarters in Boston, MA • Specializes in commercial, retail and investment banking • Binghamton Bank has $50 million in assets • New CEO Conner Wayne • “Building a Sanctuary for your Future” • Strives to be the number one bank to safely protect ones investments and interests Background of Binghamton Bank
  • 5. April 24, 2015 Aegis 5 • Requests to enhance their applications and infrastructure to create a company that better serves the customer • Software upgrade issues • Stopped payments for 2 hours • Large monetary loss • Web application issue • Customers could not access their accounts • Log-in troubles • Reliability and reputation issues Binghamton Bank Issues
  • 6. Executive Summary Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 6 Aegis Analysis Overview of Binghamton Bank
  • 7. Executive Summary April 24, 2015 Aegis 7 1. Online Banking Security 2. FIN 3. BODPS 4. ATM Disaster Prevention Risks •High traffic •Unsecure networks •Low authorization •Allows remote access •Backup system •Test contingency plan •Windows 2000 •Test employees •No authorization •Employee training •Confidential information •Breaches •7 critical vendors •Backup generator •Vendor transitions •Unreliable vendors Applicable to Bank •Reputation •Vulnerable information •Database breach •Pivotal Operations •Recovery time •Prevent breaches •Easy to hack database •GLBA violation •Critical functions •National news •Loss of operations •Recovery time Recommenda- tions •2 factor authentication •Monitoring •Safeguards •Encryption •Test contingency plan annually •Update severs •Cold Sites •Monthly fake scams •High authentication •Compliance •Training workshops •Backup generator •Transition vendor •Review vendors annually
  • 8. April 24, 2015 Aegis 8 ATM Vendor Dependency Risks: Reliant on external vendors for ATM operations Lacking emergency protocol Outcomes: Vendor reliability awareness Less failtime Executive Summary - Write here Online Banking Remote Security Risks: Compromised information and reputation due to weak security Outcomes: Prevention information disclosure DR/Server Security Risks: No data encryption Lack of backup plan tests Out of date servers Outcomes: Reputation in safe customer information Smoother emergency procedureBODPS Risks: •High traffic •Unsecure networks •Remote Access Recommendations NorthGO Risks: •High traffic •Unsecure networks •Remote Access Recommendations FIN Risks: •High traffic •Unsecure networks •Remote Access Recommendations Application down, infrastructure up (ill fix format)
  • 9. Executive Summary April 24, 2015 Aegis 9 1. Online Banking Security Risks: •High traffic •Unsecure networks •Remote Access Applicable to bank: •Reputation •Vulnerable critical information •Database breach Recommendations: •Two factor authentication •Monitoring •Remote access safeguards •Encryption 2. FIN Risks: •Backup System •Contingency plan tests •Windows 2000 •Test employees Applicable to bank: •Pivotal operations •Recovery time •Prevent breaches Recommendations: •Test contingency plan annually •Update servers •Cold sites •Monthly employee scam tests 3. BODPS Risks: •No authorization •Employee training •Confidential information •Breaches Applicable to bank: •Easy to hack database •GLBA violation •Critical functions Recommendations: •High authentication •Compliance •Training workshops for employees 4. ATM Disaster Prevention Risks: •7 critical vendors •No backup generator •Vendor transitions •Unreliable vendors Applicable to bank: •National news •Loss of operations •Recovery time •Financial loss Recommendations: •Backup generator •Transition vendor •Review vendors annually
  • 10. Aegis Analysis Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 10 Aegis Analysis Overview of Binghamton Bank
  • 11. April 24, 2015 Aegis 11 • Tool Designed a custom tool that takes user answers and calculates inherent risk, control strength and residual risk • Criteria • Operational Risks associated with functions inside of the company and risks that affect the internal day-to-day activates • Financial Risks associated with business transactions including both financial dealings and non-monetary trading or sharing • Technological Risks resulting from failures or errors by IT devices or systems put in place by the company • External Any associated risk due to an uncontrollable occurrence outside of the company Aegis Analysis
  • 12. Agenda Infrastructure Risk Analysis Application Risk Analysis Summary Executive Summary March 20, 2015 Aegis - Infrastructure Division 12 Aegis Analysis Overview of Binghamton Bank
  • 13. 1. ATM Vendor Dependency April 24, 2015 Aegis 13 Inherent Risk Operational ● Process 2,000-5,000 transactions per hour External ● Negative media will reach national news ● ATM’s utilize 7 or more critical vendors Control Strength External ● ATM’s do not have backup generators ● ATM’s do not have cold sites in place ● Cannot transition to another vendor ● Bank takes no precautions to ensure vendors are reliable ATMS Operational Financial Technological External Inherent 53 40 78 67 Control 28 10 25 9 Residual 38 36 58 60
  • 14. 1. ATM Vendor Dependency April 24, 2015 Aegis 14 Recommendations On average ATM’s process 180% more transactions per hour than online banking Reputational Loss -ATM failures would be known nationally -Dependence on processes outside of Binghamton Bank’s Control Vendor Reliability: Have a transitional backup vendor for each critical vendor Increase Awareness of Vendor Reliability: -Perform quarterly financial reviews -Background checks on vendors (SOC-II) -Annual Debrief with Vendor Management create/practice vendor contingency plan Failure Preventions: Implement an Automatic Transfer Switch (ATS) to reduce fail time
  • 15. 2. Online Banking Remote Access Security April 24, 2015 Aegis 15 ATMS Operational Financial Technological External Inherent 48 41 66 49 Control 30 10 24 20 Residual 34 37 50 50 Inherent Risk Technological ● Less than 25% of online banking operations can be performed with failed servers ● More than 60% of sensitive information would be compromised in the event of a breach to the database ● Allows remote access for online banking may lead to potential risks Financial ● Binghamton Bank would face greater than $200,000 in fines in the event of non-compliance with regulations Control Strength Technological ● No multi-tier authentication in order to gain access to online banking remotely ● Weak prevention to unauthorized access to network ● No encryption of sensitive information
  • 16. April 24, 2015 Aegis 16 2. Online Banking Remote Access April 24, 2015 Aegis 16 Reasons why the Risk is a Priority Recommendations Reputational Loss ● Decrease in accountability to customers if servers were to fail ● Loss of sensitive information will result in non-compliance with GLBA Monetary Loss ● Each violation of GLBA can be fined up to $100,000 Customer Safety ● Hackers could disclose or utilize customer information - Include SSL certificates to encrypt data for all subdomains - Require virtual machines for employee remote access - Enable remote wipe for company devices - Require 2 step authentication for employee remote access - Enable Virtual Private Network Prevent unauthorized access to network -Only allow pre-authorized MAC addresses -Implement a monitoring and logging system -Seperate networks by critical information
  • 17. 3. DR/Servers Security April 24, 2015 Aegis 17 Inherent Risk Technological: ● 10% - 30% critical infrastructures are not up to date ● Less than 25% can perform with failed servers ● More than 60% of sensitive information would be compromised if databases were breached ● Allowing remote access to company systems may lead to potential risks Financial: ● Noncompliance can result to greater than $200,000 in fines Control Strength Technological: ● Tests contingency plan every 2-5 years ● Tests for employees for online threats every year or more ● Servers do not encrypt sensitive information Financial: ● IT employees are not well versed with financial goals and objectives ATMS Operational Financial Technological External Inherent 59 43 67 44 Control 25 15 20 18 Residual 44 36 53 36
  • 18. 3. DR/Servers Security April 24, 2015 Aegis 18 Reasons why the Risk is a Priority Recommendations Monetary Loss ● GLBA fines if sensitive information is compromised ● Excess and/or unnecessary activities are performed by the IT department Reputational and Reliability Loss ● Weak ability to adapt to unanticipated events COBIT governance framework - familiarize IT employees with business standards and goals Secured Socket Layer (SSL) certificates establishes a link between the server and a client 256 bit AES encryption Test employees for phishing schemes monthly Test contingency plan annually Upgrade to windows 2012 R2 standard edition -Costly 1,000 servers - $800,000 2,500 servers - $2.2 million 5,000 servers - $4.4 million 7,000 servers - $6.1 million
  • 19. Infrastructure Summary April 24, 2015 Aegis 19 1. ATM Vendor Dependency Risks: •Reliant on many critical vendors to operate ATM’s •Lacking emergency plan for failed vendor •Alternate Power source unavailable Recommendations: •Increase vendor reliability awareness •Implement Automatic Transfer Switch •Transitional Vendors 2. Online Banking Remote Access Security Risks: •Weak preventions for network access •Sensitive information not encrypted •Weak authentication for access Recommendations: •SSL certificates •Virtual machines •Remote wipe •Prevent unauthorized network access 3. DR/Servers Security Risks: •No encryption of sensitive information •Contingency plan not tested frequently •Servers not up to date Recommendations: •Upgrade servers to Windows 2012 R2 •Utilize COBIT •Enable SSL certificates •Encrypt sensitive information •Test contingency plans
  • 21. BODPS: Current State April 24, 2015 Aegis 21 ● Operational: ○ Extremely critical for business functions ○ Employees are not trained to properly use and secure this application ○ Bank is unsure how secure online networks are for customer access ● Technology ○ Integrates with many critical applications and contains sensitive customer data ○ No levels of authorization and no scheduling of upgrades and maintenance ● Financial ○ No mechanism in place to inform customers that their assets are secure Operational Financial Technological External Inherent 84 15 88 75 Control 38 44 20 41 Residual 52.08 15 70.4 44.25
  • 22. BODPS: Risk & Consequences April 24, 2015 Aegis 22 Overall Application Risk: Poor Security. This can lead to a loss of sensitive client data. Additionally, BODPS is responsible for sending data to iReport to create financial documents. Poor security can lead to altering of this data and publishing financial statements that are not accurate. (This can lead to a violation of SOX) ● Risk: No authorization levels ● Consequence: Anyone can access this data. Nothing that authorizes the user as being a trustworthy person to access the information ● Risk: Employees are not properly trained ● Consequence: Employees can divulge information and leave workstations logged in. Not knowing security measures can lead to them sharing confidential information ● Risk: No mechanism in place to inform customers that their data is secure ● Consequence: Customers will not know if they data has been compromised or shared ● Risk: Poor security can lead to altering of this data and publishing financial statements that are not accurate and poor security can lead to a leak of customer data ● Consequence: Lead to a violation of SOX and GLBA
  • 23. BODPS: Recommendations April 24, 2015 Aegis 23 ● Implement two level authorization for employees with the implementation of security tokens as an initial step to address poor security. Employees have to enter one password that they create, followed by a security token that constantly changes the password ● Implement training courses so employees are aware of how to properly and legally use application. Employees should be aware of social engineering threats and not divulge information while also logging off after use ● Company should properly allocate their resources and funds to spend on training programs and frequent updates that are capable of providing the most up to date security measures
  • 24. NorthGo: Current State April 24, 2015 Aegis 24 Operational Financial Technological External Inherent 84 42 56 15 Control 56 11 20 40 Residual 37 37 45 15 • Operational: • Backup systems exist but do not demonstrate full functionality • Internal monitoring system needs to be updated • Online networks that customers use are not secure • Technology • No authorization levels for application that stores sensitive client information • Rarely upgraded to be able to operate under heavy user traffic • No alternative operation methods if integrated application fails • Financial • Investing in online application is crucial to maintaining and expanding customer base • No funds allocated towards application recovery
  • 25. NorthGo: Risk & Consequences April 24, 2015 Aegis 25 Overall Application Risk: Application Overload. This application experiences heavy traffic from both employees and customers, and with nothing in place to mitigate overload, NorthGo is prone to overloading and failing. Failure of NorthGo can make it prone to security threats and lead loss of customer confidence ● Risk: No system in place to mitigate application overload ● Consequence: Failure of system due to increased traffic can lead to another NorthGo crash which will lead to monetary loss and loss of customer faith. Having system down still leaves it open to security threats where customers information can be stolen or compromises. This consequence also leads to a GLBA violation ● Risk: NorthGo does not have a system backup ● Consequence: If another NorthGo crash occurs, Binghamton Bank will earn the reputation of providing poor applications. Customers will not have confidence and there will be a loss of clientele
  • 26. NorthGo: Recommendations April 24, 2015 Aegis 26 ● Put a system in place to mitigate application overload ● Allocate more funds to application upgrades, maintenance and failure recovery ● Implement internal monitoring system to gauge traffic and alert employees if system is close to overloading ● Increase traffic capacity ● Two factor authorization for employees and customers ○ Smart tokens and password for employees ○ Password and automatic sending of email with temporary access code ● Password and txt update to customers on current state of their data
  • 27. FIN: Current State April 24, 2015 Aegis 27 ● Operational: ○ Binghamton Bank does not have a fully functioning backup system in place ○ Unsure if this application’s functions can be completed manually if it were to fail ○ Unsure if the bank has an internal monitoring system to alert employees of an application failure ○ There are no compliance checks to make sure that new standards and regulations are being met ○ Binghamton Bank runs into noncompliance issues >20 times ● External: ○ System audits are only conducted yearly ○ Vendors never provide system upgrades Operational Financial Technological External Inherent 100 100 100 15 Control 69 87 89 9 Residual 31 13 11 14
  • 28. FIN: Risk & Consequences April 24, 2015 Aegis 28 Overall Application Risk: FIN Failure. FIN is the central financial application of Binghamton Bank and it integrates and monitors all financial transactions in one location. Not having a fully functioning backup system for an application whose functions can not be completed manually is a risk • Risk: No proper backup system in place to mitigate application failure • Consequence: Application’s functions cannot be completed and crucial bank functions will be halted. FIN failure is a security threat because a system crash can open it up to hacking threats • Risk: Cannot be completed manually if the application were to fail • Consequence: Operations cannot continue to run effectively because the bank would have to record all transactions on paper slowing down operations to a point where everything is backlogged • Risk: Short recovery time objective • Consequence: Bank will lose money quickly if application’s functions are not restored in
  • 29. FIN: Recommendations April 24, 2015 Aegis 29 ● Implement a more robust data backup and backup security measures in case of application failure while nvesting in a more fully functional system that can take over and perform FINs functions if there is an emergency •Set up a failure recovery plan to help takeover for FIN •Internal monitoring system to tell when FIN is going to fail •Train employees to properly use FIN’s backup systems
  • 30. Application Summary April 24, 2015 Aegis 30 Application Name Current State of Application Risk to Binghamton Bank Recommendation BODPS Has poor security strength and poorly trained employees to use application securely Employees can divulge client information and information can be accessed and altered easily, leading to violations Implement security tokens and implement application and regulation training program for employees NorthGo Current backup system is not functioning at full capacity. No Authorization levels System overload. Cannot function efficiently and properly. Implement internal monitoring system. Reallocation of funds. FIN Does not have a fully functioning backup system. Unsure if application’s functions can be completed manually. FIN failure. No proper backup system in place. Cannot be completed manually. Short recovery time objective. Implement a more robust backup system. Set up a failure recovery plan. Internal monitoring system to tell when FIN is going to fail.
  • 32. Overall Summary April 24, 2015 Aegis 32 • We want to explain what controls the bank has currently in place that are good • What controls Binghamton Bank is missing • Our recommendations by priority
  • 34. Infrastructure Division: Chloe Chan, Janet Chan, Kyle Stim, Lillian Kravitz, Rohit Kapur & Taylor Goudreau Application Division: Alexis Cai, Derek Liu, Gary Liku, Joshua Neustadter, Sharon Han & Zachary Alexander Tool Demonstration April 24, 2015 Aegis 34
  • 36. Appendix April 24, 2015 Aegis 36 - Regulations - Financial Calculations -